[root@localhost opt]# cat tun_ins.sh
#!/bin/bash
################################################################
# Base plform for x86_64 bit_CentOS6 #
# Define yum & base tools & security file && kernel sysctl #
# Author pharmacodia #
# Create_Time: 20170212 #
# Last_Modifild :20171213 #
################################################################
function check_env()
{
sleep 1
cat <<EOF
+----------------------------------+
|will be check env..... |
+----------------------------------+
EOF
check_user=`id -u`
if [ ${check_user} != "0" ];then
echo "Must be root can use !"
exit 1
fi
platform=`uname -i`
if [ $platform != "x86_64" ];then
echo "Check system is x86_64 CentOS bit!"
exit 1
fi
#UTF-8 char
sed -i ‘s@LANG=.*$@LANG="en_US.UTF-8"@g‘ /etc/sysconfig/i18n
source /etc/sysconfig/i18n
yum -y install redhat-lsb wget.x86_64
version=`lsb_release -r|awk -F. ‘{print $1}‘`
if [ $version != 6 ];then
echo "this script is only for CentOS 6 !"
exit 1
fi
cat << EOF
+--------------------------------------+
|check env finished,it seems ok..... !‘|
+--------------------------------------+
EOF
sleep 1
echo -e "\n"
}
function tune()
{
cat << EOF
+-------------------------+
| start Tunne........ |
+-------------------------+
EOF
#yum clean all
#yum makecache
#rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY*
yum upgrade -y
# 补充部分 Install base tools & packages & library
wget -c http://epel.mirror.net.in/epel/6/x86_64/epel-release-6-8.noarch.rpm
rpm -ivh epel-release-6-8.noarch.rpm
for i in $(rpm -q glibc glibc-static glibc-devel glib2 glib2-devel bzip2 bzip2-devel ncurses ncurses-devel libaio readline-devel curl curl-devel libidn libidn-devel autoconf libjpeg libjpeg_devel libpng libpng_devel freetype freetype-devel libxml2 libxml2-devel zlib zlib-devel gcc gcc-c++ lrzsz ntpdate nmap.x86_64 lsof.x86_64 sysstat.x86_64 glances kernel-devel openssl openssl-devel popt-devel popt-static libnl-devel libicu-devel libevent-devel tree nc make cmake jemalloc pcre pcre-devel pcre-static libzip.x86_64 libzip-devel.x86_64 libevent-devel libool libool-ltdl gd-devel bison vim-enhanced zip unzip patch expect|awk ‘/not install/ {print $2}‘);do yum -y install $i;done
###sync time to cn.pool.ntp.org server everyday
if [ $(pgrep ntpd) > 0 ];then
pkill ntpd
chkconfig --level 3 ntpd off
else
echo "services ntpd has stoped ...\n"
fi
echo "*/5 * * * * /usr/sbin/ntpdate cn.pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root
#Tune file descriptors limit
echo "ulimit -SHn 102400" >> /etc/rc.local
#modprobe bridge
echo "modprobe bridge" >> /etc/rc.local
echo "modprobe ip_conntrack" >> /etc/rc.local
ulimit -SHn 65535
cat >> /etc/security/limits.conf << EOF
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
#Change user‘s processes limit
s_num=$(cat /etc/security/limits.d/90-nproc.conf |awk ‘/*/ {print $4}‘)
d_num=$(cat /etc/security/limits.d/90-nproc.conf |awk ‘/*/ {print NR}‘)
[ ${s_num} -gt 65500 ] || sed -i "${d_num}s/${s_num}/65535/" /etc/security/limits.d/90-nproc.conf
### Security File
chattr +i /etc/passwd
chattr +i /etc/inittab
chattr +i /etc/group
chattr +i /etc/shadow
chattr +i /etc/gshadow
### Security File
#tune kernel
[ -e ‘/etc/sysctl.conf‘ ] && /bin/mv /etc/sysctl.conf{,`date +%F`}
cat >> /etc/sysctl.conf << EOF
#iptables prefomances
net.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_max = 25000000
net.netfilter.nf_conntrack_tcp_timeout_established = 180
net.netfilter.nf_conntrack_tcp_timeout_time_wait = 120
net.netfilter.nf_conntrack_tcp_timeout_close_wait = 60
net.netfilter.nf_conntrack_tcp_timeout_fin_wait = 120
net.ipv4.tcp_mem = 94500000 915000000 927000000
net.ipv4.tcp_timestamps = 0
net.core.rmem_max = 16777216
net.core.wmem_max = 16777216
net.core.netdev_max_backlog = 262144
net.core.somaxconn = 262144
net.ipv4.tcp_max_orphans = 3276800
net.ipv4.tcp_max_syn_backlog = 262144
net.core.wmem_default = 8388608
net.core.rmem_default = 8388608
net.ipv4.tcp_fin_timeout = 1
net.ipv4.tcp_tw_reuse = 1
net.ipv4.tcp_tw_recycle = 1
net.ipv4.tcp_syncookies = 1
net.ipv4.tcp_keepalive_time =600
net.ipv4.ip_local_port_range = 1024 65530
net.ipv4.tcp_max_tw_buckets = 36000
net.ipv4.route.gc_timeout = 100
net.ipv4.tcp_syn_retries = 1
net.ipv4.tcp_synack_retries = 1
EOF
/sbin/sysctl -p
cat << EOF
+--------------------------------------------------------------------------+
| Tune finished..... |
| Check_running process limit & check if running process reload and restart|
+--------------------------------------------------------------------------+
EOF
}
function start_tune()
{
read -p "tune start .... yes/no? :" command
case $command in
"yes"|"y"|"Y")
check_env
tune
;;
*)
exit 1
;;
esac
cat << EOF
+-------------------------------------------------------+
|start_tune function execute will be start in 3s.... |
|Ctrl+c to be Interrupt.... |
+-------------------------------------------------------+
EOF
sleep 3
echo -e "\n"
}
#disable selinux
disabled_selinux()
{
# Close SELINUX
setenforce 0
#sed -i ‘s/^SELINUX=.*$/SELINUX=disabled/‘ /etc/selinux/config
sed -i ‘s#SELINUX=.*#SELINUX=disabled#g‘ /etc/selinux/config
}
stop_server(){
chkconfig|egrep -v "crond|sshd|network|rsyslog|sysstat"|awk ‘{print "chkconfig",$1,"off"}‘|bash
export LANG=en
#for server in `chkconfig --list |grep 3:on|awk ‘{ print $1}‘`
# do
# chkconfig --level 3 $server off
#done
#
#for server in crond network rsyslog sshd
# do
# chkconfig --level 3 $server on
#done
}
init_iptables(){
[ -e ‘/etc/sysconfig/iptables‘ ] && /bin/mv /etc/sysconfig/iptables{,`date +%F`}
cat > /etc/sysconfig/iptables << EOF
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:syn-flood - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 10086 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -p icmp -m limit --limit 100/sec --limit-burst 100 -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 10 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j syn-flood
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A syn-flood -p tcp -m limit --limit 3/sec --limit-burst 6 -j RETURN
-A syn-flood -j REJECT --reject-with icmp-port-unreachable
COMMIT
EOF
modprobe bridge
modprobe ip_conntrack
/etc/init.d/iptables restart
}
sys_init()
{
check_env
tune
disabled_selinux
start_tune
stop_server
init_iptables
}
color_env()
{
[ -z "`cat /root/.bashrc | grep ^PS1`" ] && echo ‘PS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h \[\e[35;40m\]\W\[\e[0m\]]\\$ "‘ >> ~/.bashrc
source ~/.bashrc
}
sys_init
color_env